diff options
| author |   Lee Chee Yang <chee.yang.lee@intel.com> | 2020-12-14 18:52:54 +0800 |
|---|---|---|
| committer |   Steve Sakoman <steve@sakoman.com> | 2020-12-14 05:58:27 -1000 |
| commit | 02870c7fbaaa1c3869ecb439f5c58fcf40a533be (patch) | |
| tree | bb708e6b11e58e198dd03a16d3db515b5b1e86d6 | |
| parent | 3c85df8f4bcbdb75c3258a76402dd6039fbc73ca (diff) | |
| download | openembedded-core-contrib-02870c7fbaaa1c3869ecb439f5c58fcf40a533be.tar.gz | |
binutils: fix CVE-2020-16592/16598
fix CVE-2020-16592 & CVE-2020-16598
removed changes to Changelog in patch file
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
3 files changed, 95 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc b/meta/recipes-devtools/binutils/binutils-2.34.inc index b5f5a1c69a..f557fe970c 100644 --- a/meta/recipes-devtools/binutils/binutils-2.34.inc +++ b/meta/recipes-devtools/binutils/binutils-2.34.inc @@ -44,5 +44,7 @@ SRC_URI = "\ file://0017-binutils-drop-redundant-program_name-definition-fno-.patch \ file://CVE-2020-0551.patch \ file://0001-gas-improve-reproducibility-for-stabs-debugging-data.patch \ + file://CVE-2020-16592.patch \ + file://CVE-2020-16598.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2020-16592.patch b/meta/recipes-devtools/binutils/binutils/CVE-2020-16592.patch new file mode 100644 index 0000000000..f5f9ccdd53 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2020-16592.patch @@ -0,0 +1,61 @@ +From 7ecb51549ab1ec22aba5aaf34b70323cf0b8509a Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Wed, 15 Apr 2020 18:58:11 +0930 +Subject: [PATCH] PR25823, Use after free in bfd_hash_lookup + + PR 25823 + * peXXigen.c (_bfd_XXi_swap_sym_in <C_SECTION>): Don't use a + pointer into strings that may be freed for section name, always + allocate a new string. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=7ecb51549ab1ec22aba5aaf34b70323cf0b8509a] +CVE: CVE-2020-16592 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> + +--- + bfd/peXXigen.c | 20 ++++++++++---------- + 1 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c +index b9eeb775d9b..8aa5914acd9 100644 +--- a/bfd/peXXigen.c ++++ b/bfd/peXXigen.c +@@ -177,25 +177,25 @@ _bfd_XXi_swap_sym_in (bfd * abfd, void * ext1, void * in1) + int unused_section_number = 0; + asection *sec; + flagword flags; ++ size_t name_len; ++ char *sec_name; + + for (sec = abfd->sections; sec; sec = sec->next) + if (unused_section_number <= sec->target_index) + unused_section_number = sec->target_index + 1; + +- if (name == namebuf) ++ name_len = strlen (name) + 1; ++ sec_name = bfd_alloc (abfd, name_len); ++ if (sec_name == NULL) + { +- name = (const char *) bfd_alloc (abfd, strlen (namebuf) + 1); +- if (name == NULL) +- { +- _bfd_error_handler (_("%pB: out of memory creating name for empty section"), +- abfd); +- return; +- } +- strcpy ((char *) name, namebuf); ++ _bfd_error_handler (_("%pB: out of memory creating name " ++ "for empty section"), abfd); ++ return; + } ++ memcpy (sec_name, name, name_len); + + flags = SEC_HAS_CONTENTS | SEC_ALLOC | SEC_DATA | SEC_LOAD; +- sec = bfd_make_section_anyway_with_flags (abfd, name, flags); ++ sec = bfd_make_section_anyway_with_flags (abfd, sec_name, flags); + if (sec == NULL) + { + _bfd_error_handler (_("%pB: unable to create fake empty section"), +-- +2.27.0 + diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2020-16598.patch b/meta/recipes-devtools/binutils/binutils/CVE-2020-16598.patch new file mode 100644 index 0000000000..52bd925c97 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2020-16598.patch @@ -0,0 +1,32 @@ +From ca3f923f82a079dcf441419f4a50a50f8b4b33c2 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Fri, 17 Apr 2020 10:38:16 +0930 +Subject: [PATCH] PR25840, Null pointer dereference in objdump + + PR 25840 + * debug.c (debug_class_type_samep): Don't segfault on NULL type. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=ca3f923f82a079dcf441419f4a50a50f8b4b33c2] +CVE: CVE-2020-16598 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> + +--- + binutils/debug.c | 2 ++ + 1 files changed, 2 insertions(+) + +diff --git a/binutils/debug.c b/binutils/debug.c +index 022fa4edffb..5470e155edc 100644 +--- a/binutils/debug.c ++++ b/binutils/debug.c +@@ -3277,6 +3277,8 @@ debug_class_type_samep (struct debug_handle *info, struct debug_type_s *t1, + names, since that sometimes fails in the presence of + typedefs and we really don't care. */ + if (strcmp (f1->name, f2->name) != 0 ++ || f1->type == NULL ++ || f2->type == NULL + || ! debug_type_samep (info, + debug_get_real_type ((void *) info, + f1->type, NULL), +-- +2.27.0 + |